Oct 13, 2021
Password security is an essential component of keeping organizational data secure. However, more often than not, it is common to find that users do not do the greatest job of adhering to password guidelines and best practices. In fact, recent studies confirm that a vast majority of cybersecurity breaches occur due to weak or compromised passwords. This is why multi-factor authentication, or MFA, is quickly becoming the new norm for authenticating accounts and keeping data secure.
Multi-factor authentication (MFA) is an authentication method that requires users to provide two or more points of verification to gain access to data via applications, accounts, or other resources. Rather than relying on a static, often user-generated, username and password, MFA methods call for at least one additional verification factor, which makes it more challenging for cybercriminals to breach secure data.
Any multi-factor authentication method will employ at least one of these three elements: knowledge, possession, and inherence. Knowledge refers to something you must know, possession refers to something that you have, and inherence refers to parts of your identity. So for example, some methods of authentication will call for a PIN or code—or knowledge—to grant secure access. Other methods might require the use of your cell phone (possession) or even your fingerprint (inherence).
Earlier this year, Google, the most widely used email service to date with 1.8 billion active users globally, announced that they will be making MFA a requirement for all users. Google, who already offered two-step verification, or 2SV, as an option, shared that it will now make this an automatic process for any Google account user looking to access their account.
“In 2020, searches for “how strong is my password” increased by 300%. Unfortunately, even the strongest passwords can be compromised and used by an attacker – that’s why we invested in security controls that prevent you from using weak or compromised passwords,” shared Mark Risher, Director of Product Management, Identity and User Security, on the company’s blog. "One of the best ways to protect your account from a breached or bad password is by having a second form of verification in place."
Though Google has standardized its own method of two-step verification, there are multiple methods of MFA that your organization can employ to keep your data safe. Some are more secure than others.
One-Time Passwords (OTPs): A one-time password (OTP) is an automatically generated string of characters that verifies a user for a single transaction or login session. One-time passwords are more secure than traditional, static passwords—especially static passwords that are user-generated.
SMS: OTPs through SMS text through mobile devices is one of the most common ways that multi-factor authentication is configured. It is commonly the most user-friendly due to the ubiquitous use of cell phones. This method usually requires that the user receive an authentication code via text that they will then need to enter as a second wall of security to access an account.
Mobile Push: Mobile push authentication is a more sophisticated version of the SMS MFA method, where notification is pushed to a mobile device via a WiFi signal and does not require a mobile carrier service. This is known to be one of the more secure MFA methods because it requires a direct connection to the app that is receiving a push notification. Mobile push is also more seamless for users because verification can often be completed in one click.
Cloud-based authentication: Cloud-based authentication is commonly completed via a process called “single-sign-on.” Using this process, a user may access services using one username and one password, authenticated generally through a central account This is of course convenient because a user is not required to recall multiple passwords. It also prevents multiple users from signing on to the same account. However, if a central account is compromised, it can lead to multiple data breaches through one user. This is why many might employ another type of MFA for more central account authentication, like browser or operating system accounts.
Risk-based authentication: Risk-based authentication methods are adaptive methods that shift the level of security required based on situational factors related to the request for access to a resource and the anticipated risk of granting access. So, based on whether or not you’ve used a computer or IP address before, what type of information you’re accessing, or what WiFi network you’re on, the authentication method might shift from a less secure but convenient method, like single sign-on to a more secure MFA method like mobile-push authentication, to ensure that security has not been breached.
Regardless of the types of authentication methods an organization implements, flaws in configuration and other errors can leave room for cybercriminals to break through MFA security measures. This is why hundreds of organizations, large and small, partner with Milner’s managed IT team to ensure that their organization’s data remains secure, even as cybercriminals become more sophisticated.If you’re interested in ensuring that your organization’s password practices measure up to today’s new standard for authentication, grade yourself using our Password Report Card, or reach out to our team to find out how we can help you keep your organization’s data secure.